Community
OpenEnergyMonitor

Community

Important Emoncms security update for multi-user emoncms installations V9.8.11

security
Tags: #<Tag:0x00007f1c008f47b0>

(Trystan Lea) #1

@Cagabi identified a security hole today in emoncms that affects multi-user installations, resulting from the way input process and virtual feed process list where set. I have since fixed the issue and the fix is now available in the latest stable and master branch of emoncms.

see: https://github.com/emoncms/emoncms/releases/tag/9.8.11

The input processing part of the issue allowed an emoncms user to add a process to an input that referenced a feed of another emoncms user on the same installation allowing both writing and reading of data - but only in realtime, historic data could not be overwritten or read. No meta data feed name, userid etc could be read. This could be achieved with a call to the underlying input set processlist API.

The virtual feed part allowed a user to access the full history of a feed from any other user on the installation by adding the source feed process with the feedid of any feed, which could be done with a call again to the underlying API.

Its worth noting that for emonpi and emonbase installations running emoncms locally with a single emoncms account created (default install) this issue cannot be exploited. Which means this is only an important update if your running a multi-user installation where the potentially exploiting user has an emoncms account.

The input processing part of the issue was present on emoncms.org (which has now been fixed), I ran a script to verify the content of all input process lists on all emoncms.org inputs and did not identify any processlists referencing feeds or inputs from other accounts.

Trystan


Development: Devices, Inputs and Feeds in emoncms
(Paul) #2

Beware this update may break using the device module unless you change device module branch and flush redis when updating emoncms. (see the Development: Devices, Inputs and Feeds in emoncms thead around 16th Nov for info).

AFAIK this only effects users of the emoncms device module.